Re: [RFC manager/network v2 0/3] fix #5066: make generated snat rules flushable

[Stefan Hanreich <s.hanreich@proxmox.com>]

Some things I noticed while testing:

Existing SDN SNAT rules are left untouched and the jump to the
PROXMOX-SDN chain is inserted at the bottom of the POSTROUTING chain in
the NAT table. Not sure how we'd approach this though since it's
basically impossible to tell for us which NAT rules are managed by us
and which NAT rules are not. Maybe we could try to detect this on
applying and print a warning at the very least? Maybe inserting the jump
at the top, rather than at the bottom would be better for that reason?
Although that might interfere with custom rules...


When applying the network configuration, there is now a small window
where no SNAT rule is active. This causes connections initiated during
that window to fail. It's easy to reproduce by adding a

  post-up sleep 5

to any interface block before the SDN blocks get executed. Trying to
initiate a outside connection then fails during that 5 second window.
Existing connections are unaffected though, since there's a conntrack
table entry and that's sufficient for NAT to work.

The only way to work around this I can think of is by creating a new
chain with a different name (PROXMOX-SDN-new) and create the ruleset
there. Afterwards, insert the jump to the new chain before the old chain
in the NAT table and finally delete the rule jumping to the old chain.
Afterwards, rename the PROXMOX-SDN-new chain to PROXMOX-SDN via the -E
option of iptables.

nftables would easily allow for an atomic change in NAT rules. Mixing
nftables and iptables should *theoretically* be possible although I'd
refrain from it - it's discouraged and asking for trouble imo.
Potentially something we should switch over to in PVE 10?


Reloading via `ifreload -a` still leaves us with duplicated rules - but
that should be fine imo since our SNAT rules can only change on applying
the SDN configuration and then they'd get rewritten anyway.


If there's no pre-existing PROXMOX-SDN chain, then an error will be
printed in the task log (albeit status is shown as OK):

  ip6tables: No chain/target/match by that name.



On 6/23/26 3:37 PM, Lukas Sichert wrote:
> When creating a subnet with SNAT enabled and applying the changes, then
> afterwards disabling SNAT and applying the changes again, the iptables
> POSTROUTING rule still persists. This is because ifreload -a only
> executes (post/pre-)down hooks when an interface is removed from
> /etc/network/interfaces, while the (post/pre-)up hooks are always
> executed [1]. As a result, the SNAT rule is not removed by 'ifreload -a' and
> only a restart or 'ifdown' will remove it.
> 
> This series moves generated SDN SNAT rules into a dedicated
> 'PROXMOX-SDN' chain in the iptables nat table and adds a jump from
> POSTROUTING to that chain. This keeps the generated rules separate from
> custom rules added by users or other components.
> 
> The dedicated chain can then be flushed during network reload, removing
> stale SDN SNAT rules without touching unrelated POSTROUTING rules.
> 
> As this changes the generated /etc/network/interfaces.d/sdn output, the
> expected test output is adjusted accordingly.
> 
> [1] manpages.debian.org/testing/ifupdown2/ifreload.8.en.html
> Link: https://bugzilla.proxmox.com/show_bug.cgi?id=5066
> 
> changes from v1 to v2 (thanks @Stefan):
> - rebase on top of master
> - create chain only when '$is_evpn_gateway' is true
> - add Links to commits
> 
> 
> network:
> 
> Lukas Sichert (2):
>   fix #5066: snat: push evpn snat rules into separate iptables chain
>   fix #5066: snat: push simplezone snat rules into separate iptables
>     chain
> 
>  src/PVE/Network/SDN/Zones/EvpnPlugin.pm          | 11 +++++++++--
>  src/PVE/Network/SDN/Zones/SimplePlugin.pm        | 15 ++++++++++++---
>  .../evpn/exitnode_snat/expected_sdn_interfaces   | 16 ++++++++++++----
>  .../simple/ipv4snat/expected_sdn_interfaces      |  8 ++++++--
>  .../simple/ipv6snat/expected_sdn_interfaces      |  8 ++++++--
>  5 files changed, 45 insertions(+), 13 deletions(-)
> 
> 
> manager:
> 
> Lukas Sichert (1):
>   fix #5066: reload networking: flush PROXMOX-SDN iptables chain at
>     reload
> 
>  PVE/API2/Network.pm | 3 +++
>  1 file changed, 3 insertions(+)
> 
> 
> Summary over all repositories:
>   6 files changed, 48 insertions(+), 13 deletions(-)
>